Ezuri memory loader used in Linux and Windows malware

Pierluigi Paganini January 08, 2021

Multiple threat actors have recently started using the Ezuri memory loader as a loader to executes malware directly into the victims’ memory.

According to researchers from AT&T’s Alien Labs, malware authors are choosing the Ezuri memory loader for their malicious codes.

The Ezuri memory loader tool allows to load and execute a payload directly into the memory of the infected machine, without writing any file to disk.

Experts pointed out that while this technique common in Windows malware, it is rare in Linux attacks.

“The loader decrypts the malicious malware and executes it using memfd create (as described in this blog in 2018). When creating a process, the system returns a file descriptor to an anonymous file in ‘/proc/PID/fd/’ which is visible only in the filesystem.” reads the post published by AT&T’s Alien Labs.

The loader observed by the researchers in the attacks is written in Golang and borrows the Ezuri code published on GitHub by the user guitmz in March 2019. The user describes its project as a simple Linux ELF Runtime crypter, he wrote the code to demonstrate how to execute the ELF binary files from memory with memfd_create syscall.

The guitmz user also tested its code against VirusTotal to prove that it is able to avoid detection, in particular, he demonstrated that was able to obtain zero rate detection for a known Linux.Cephei sample once it was injected using the Ezuri code (ddbb714157f2ef91c1ec350cdf1d1f545290967f61491404c81b4e6e52f5c41f).

Upon executing the code, it will ask the user the path for the payload to be encrypted and the password to be used for AES encryption to hide the malware within the loader. In case, the password is not provided, the tool generates one. Then the packer compiles the loader with the payload encrypted within it, so it can be decrypted and executed in memory once it is delivered in the targeted system.

Ezuri

In August, the user ‘TMZ,’ likely associated with ‘guitmz,’ posted the same code on a forum where members shared malware.

Researchers from AT&T Alien Labs have identified several malware authors leveraging the Ezuri loader in the last few months, one of them is a threat actor tracked as TeamTNT that has been active since at least since 2020,

The TeamTNT botnet is a crypto-mining malware operation that has been active since April and that targets Docker installs, it is the first cryptomining bot that steals AWS credentials

Experts noticed that the group also used the Ezuri loader that is similar to the original one. 

“In October 2020, Palo Alto Networks Unit42 identified new variants of the cryptomining malware used by TeamTNT named “Black-T.” This sample first installs three network scanners, and then inspects memory in an attempt to retrieve any type of credentials located in the memory. Additionally, Unit42 identified several German-language strings in some of the TNT scripts.” continues the report.

“The last sample identified by Palo Alto Networks Unit42 is actually an Ezuri loader. The decrypted payload is an ELF file packed with UPX, which is a known sample from TeamTNT, first seen in June 2020 (e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3).”

In conclusion, the use of this packer is popular for vxers, such as the technique described to load the ELF binaries into memory. Ezuri allows malware authors to improve their operations, increasing the evasion capabilities of known payloads.

“Several malware authors have been using an open source Golang tool to act as a malware loader, using a known technique to load the ELF binaries into memory and avoid using easy-to-detect files on disk.” concludes the report. “The authors use the open source tool Ezuri, to load its previously seen payloads and avoid antivirus detections on the file.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Golang)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment